Share This Story!

Leon County Schools officials said the district waited several weeks before informing teachers and students of a major data breach at Florida Virtual School so that it could conduct its own investigation and get call centers up and running to address questions and concerns.

Leon County Schools officials said the district waited several weeks before informing teachers and students of a major data breach at Florida Virtual School so that it could conduct its own investigation and get call centers up and running to address questions and concerns.

The district was informed of the data breach on Feb. 12 in an email from the publisher of DataBreaches.net, who spotted LCS data for sale on the dark web. The district didn’t begin informing people potentially affected by the breach until nearly a month later, on Friday, when it mailed notifications to more than 1,800 teachers.

Chris Petley, spokesman for the LCS, said the district followed the advice of its legal team in setting up call centers and getting written notifications ready before making a public notification.

“We wanted to ensure that there was not mass confusion,” Petley said. “We wanted to make sure that the call centers were set up and we followed the correct protocol. There were many times during this process that the superintendent wanted to do just that — pick up the phone and call the media and inform the community. But we were advised against that.”

The email from the DataBreaches.net publisher came into the district’s community involvement email account, which Petley monitors. However, he was out of the office the day the email came in and the next day because of a sick child. Two days after the email arrived, the district’s attention became squarely focused on the mass shooting at Marjory Stoneman Douglas High School in Parkland.

Petley forwarded the email to the district’s information technology office on Feb. 16, which contacted DataBreaches that afternoon. The district convened its first staff meeting about the data breach on Feb. 19, “and that set everything else in motion,” Petley said.

The district was planning to have a news conference on Tuesday but moved it up to Monday after receiving press calls. During the news conference, Superintendent Rocky Hanna apologized to affected students and teachers but put the blame squarely on the Florida Virtual School, the state’s online K-12 school.

According to LCS officials, the district gave teacher data and complete student records in 2013 to district vendor UCompass, which stored it in a server that was left unsecured for years. The Florida Virtual School acquired UCompass in January 2017.

It’s unclear exactly when the data breach happened. But Ron Hutcheson, managing director of Hill+Knowlton Strategies in Washington, D.C., which represents Florida Virtual School, said it could have occurred as early as mid-2016.

“Forensic cybersecurity experts have concluded that unauthorized access to the server began as early as May 2, 2016, when it was still in use by UCompass and Leon County — and eight months before FLVS took full possession of it,” Hutcheson said. “Rather engaging in a blame game, FLVS has focused on fixing the problem, providing protection to anyone who might have been impacted and taking action to make sure this never happens again.”

CLOSE

Identity theft is in the spotlight even more now after the huge Equifax data breach. Here are some key steps to keep you banking information, Social Security information and other personal information private.
Stephanie Dickrell, sdickrell@stcloudtimes.com

Ed Mansouri, founder of UCompass, said that before giving all of its servers to Florida Virtual School, his company did a thorough audit and believed "everything was secure." He also noted from the information he's seen, the stolen files first appeared on the dark web in June 2017, well after he sold his company.

"(FVS) had full awareness of this server and they were taking ownership and responsibility of it," Mansouri said. "And as far as we knew, there were no vulnerabilities or insecurities on it."

Florida Virtual School has said 350,000 or more of its students, teachers and parents statewide could be affected by the breach. LCS officials said the compromised data includes complete school records of LCS students and teacher information including Social Security numbers. No financial information was involved.

Elin Erickson, a Tallahassee attorney with a family member who works for the district, complained on Facebook that the notification to teachers went out on Friday just before spring break, an inopportune time for potential victims to respond. She said in an interview she’s worried that her relatives and others could have their identities stolen.

“My concern with the security breach is how far does it go, how much information was released?” she said. “Because it doesn’t take all that much ... to put together a good deal of information on someone and then be able to sell it on the dark web because there is a huge market for it in the criminal underworld.”

LCS is working with an outside law firm, a third-party forensics team and others as part of its response to the breach. The district is also planning to send mailers to more than 45,000 individuals by the end of the week notifying them of the breach. The district has a cybersecurity insurance policy with Chubb with a $25,000 deductible. It wasn’t clear Tuesday whether district costs would meet or exceed the deductible.

The district launched web pages Tuesday to inform teachers, students and parents of the breach and what they can do to protect themselves from identity theft. Former and current teachers can call LCS’s assistance line at 1-855-865-6901 for more information. Students and families are asked to call Florida Virtual School’s call center at (888) 829-6553.

For more information about the breach and services offered by the district and Florida Virtual School, visit www.leonschools.net/breach or https://www.flvs.net/notice.

Contact Jeff Burlew at jburlew@tallahassee.com or follow @JeffBurlew on Twitter.